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1. Key Developments 
Some key developments expected in the next quarter are: 
e Adoption of the EU-US Privacy Shield by the European Commission 


e Government consultation on revising FOI section 45 Code of 
Practice following the Burns Commission report on FOIA; 


e Government decision on the legislative vehicle for implementing 
member state level elements of the GDPR and law enforcement 
directive; 


ae 


Cross Sectoral Work 


2.1 External guidance 


In the last quarter we have published new guidance on the following 
areas: 


We consulted on an updated version of our privacy notices code of 
practice. The new code addresses the challenge of providing privacy 
information in a digital environment and how to develop clear and 
accessible notices. 

Updated guidance on direct marketing, taking account of recent 
enforcement cases and the recommendations of the Which? 
taskforce on nuisance calls. 

Updated guidance on the definition of environmental information, 
definition of public authority and charging for requests. 

Interim guidance on international transfers following the Schrems 
judgment of the Court of J ustice of the EU. The guidance also 
covered the announcement of the EU-US Privacy Shield as the 
proposed replacement for safe harbour 


Contact: Steve Wood/J o Pedder 


2.2 Technology 


New guidance was published in the following areas: 


Using encryption - including on different scenarios and when 
encryption is an effective safeguard. 

Wi-Fi and location data - including on how individuals should 
informed about Wi-Fi tracking and how to minimise the privacy 
impact. 

Updated guidance on IT security particularly focused on small 
business. The guidance now better aligns with the Government’s 
cyber essentials scheme. 


Work is also ongoing in the Article 29 working party technology sub group 
on a number of issues (the ICO chairs the group) - new opinions on Wi-Fi 
location tracking, employee monitoring and data portability will be 
published in the autumn. 


The technology team have also completed a sweep of 21 mobile apps. In 
the |CO’s lab the team installed and used each app, and analysed its 
network traffic. The key findings were highlighted in an ICO blog, 
highlighting failings such as apps using encrypted connections that did not 
check digital certificates adequately. 


Contact: Simon Rice 


2.3 Freedom of information 


In March 2016 the Independent Commission on Freedom of Information 
published its report. Alongside 21 recommendations it concluded 'that the 
Act is generally working well, and that it has been one of a number of 
measures that have helped to change the culture of the public sector’. 
The Information Commissioner welcomed the report. 


The report reflected a number of the submissions that the Commissioner 
had made in his written and oral evidence. No proposals were made to 
remove the public interest test from the exemptions that protect policy 
information and internal discussion (sections 35 and 36), though the 
Commission did propose to clarify the scope of the exemptions and 
factors related to the public interest test. The Commission proposed that 
the veto provisions in the legislation were clarified to enable the veto to 
be used as Parliament intended, though this would be a veto of the 
Information Commissioner’s decisions rather than judicial decisions. The 
Commission also found that introducing charges for FOI requests would 
not be a reasonable step. 


The report also contained welcome support for outstanding 
recommendations from the post-legislative scrutiny in 2012, including a 
statutory time period for when public authorities wish to extend the time 
for compliance to consider the public interest test. It also made welcome 
findings on public authorities publishing better statistical information 
about their FOI compliance. 


The Commission also highlighted the importance of the ICO receiving 
adequate funding. 


The Government responded quickly to the report, indicating that they 
were not minded to introduce any legislative changes in response. The 
most likely step will be to revise the section 45 code of practice, including 
guidance about vexatious requests and publishing FOI statistics. 


Contact: Steve Wood 
2.4 Self assessment toolkit 


The self assessment toolkit aimed at SMEs was launched on 28 J anuary 
and was instantly popular receiving 7,085 hits between 28 J anuary and 
10 February. Traffic peaked at 1,521 page views on 4 February, the day 
the e-newsletter went out. We also received positive feedback via Twitter 
and Linkedin, and took the opportunity to conduct demonstrations of the 
toolkit at the DPPC. 


Contact: Louise Byers 


2.5 Customer contact service profile 


Our Advice and Registration Services dealt with 204,000 Helpline calls 
and approximately 13,000 requests for advice in writing during this 
financial year. 


We profile the way our customers use our services throughout the year to 
better understand and improve how our customers contact us. Some 
headlines for this year are: 


e Approximately half our enquiries are from members of the public 
and half are from those we regulate. 
This has been a very consistent feature of our services for a number 
of years. 


e Half our customers have visited |CO.org.uk before contacting us for 
advice. 
This is an important feature of our service. Our website is a 
frequent first port of call for many of our customers, but it is 
important we continue to recognise that just as many customers 
want, and often need, to talk something through with us in person. 


e Approximately a third of our customers are small and medium sized 
enterprises. 
We are keen to make it as easy as possible for SMEs to have access 
to quick and simple advice when they encounter information rights 
issues or are making information rights related plans. It’s often a 
relatively infrequently visited topic for many SMEs but millions of 
citizens are employed by, or are customers of, these organisations. 


e 80% of our enquiries are about data protection, 15% PECR and 4% 
Fol. 
This is again a very consistent feature of our services over many 
years. 


e 9 out of 10 enquiries are dealt with by our first point of contact with 
a customer. 
Our priority is for our customers to get the information they need. If 
this means consulting with, or passing an enquiry to, a colleague 
who’s better placed to deal with it, we encourage our staff to do 
this. However, we continuously train and develop our staff so that 
most things we are asked can be dealt with by the first person our 
customers make contact with. 


e 5% of our enquiries are sent to us in error. 
Given the wide range of issues we deal with we believe this is a low 
proportion of misguided contacts. We do however work hard to 
make sure that our staff have a strong understanding of the issues 
most likely to cause a customer to contact us in error. We also 
review the information we provide online on a regular basis. The 
service we provide to these customers when directing them 
elsewhere is just as important to our reputation as our service to 
those who've found the people they need. 


Service Satisfaction 

As well as understanding who our customers are and what they need from 
us, we also want to make sure the quality of our service remains as high 
as possible. We regularly use independent researchers to survey 
satisfaction with our service against some key measures. 


The headline results of our 2015/6 research of our Helpline service are 
summarised below. Of the calls surveyed: 


e 100% were described as having taken the needs of our customers 
seriously. 


e 98% of callers were satisfied their enquiry had been clearly 
understood. 


e 98% of callers rated the knowledge of the person they spoke to as 
either ‘very good’ or ‘good’. 


e 99% of callers said they received a clear response. 
e 99% of callers described the service as polite and professional. 
e 97% of callers said they received a friendly service. 


e When asked how helpful the service was, 95% of callers described it 
as helpful or very helpful. 


We are delighted with what these results say about the service we are 
providing to a large number of customers with a wide range of 
information rights enquiries. 


As well as taking a lot of reassurance from the results we will also be 
looking for opportunities to improve. Very early areas identified are: 


e To look at the resourcing of the Helpline service at lunchtime. Calls 
made to the service at this time of day had a slightly increased 


tendency to be described as feeling slightly more hurried. At this 
time of day we typically see an increase in calls and a reduction in 
available resource. 


e The reason for the general helpfulness of the service being rated 
Slightly below the other measures (although we are clearly not 
describing 95% satisfaction as negative), was because a small 
number of misguided callers felt they were given inadequate 
information to clearly signpost them elsewhere. This is an area we 
can review in the future. 


At the time of writing the full qualitative analysis of the results is yet to be 
received. A thorough lessons learned exercise will be carried out as soon 
as we have this information available. We are also expecting the results of 
our customer satisfaction research for our written advice services during 
the next quarter. 


Service Improvements 


We routinely review our service to make sure we remain relevant to the 
needs of our customers and are able to appeal to customers who may not 
have contacted us before. 


Reflecting on the steadily increasing proportion of enquiries from SMEs, 
and the increasing tendency for enquiries to relate to potentially 
innovative uses of technology, we have started a project to develop 
increased industry and sector expertise in the service. ‘Technology master 
classes’ and increased briefing materials in this area will also be made 
available to help staff remain on top of relevant information rights 
technology developments. 


We are also currently developing a range of new digital services for our 
website. The first of these was launched at the end of this quarter. It’s a 
‘live chat’ service which allows customers visiting the website to have a 
conversation, in writing, with a member of our staff using an instant 
messaging service. We will be looking to actively publicise the service 
once the initial pilot phase is complete, but early indications are that it 
will prove popular for customers who prefer to contact organisations in 
this way. 


Paul Arnold 
Head of Customer and Business Services 


3. | Government and Society Sector 
3.1 Data sharing proposals, including possible legislation 


We have continued to engage with the Cabinet Office on its plans to make 
better use of government data. In February they published a consultation 
on legislative proposals to improve data sharing in a number of specific 
areas including research and statistics; tailored public services; and 
counter-fraud and debt measures. We have also attended a number of 
open policy making workshops with civil society, central and local 
government to help develop the proposals and consider safeguards such 
as codes of practice and use of privacy impact assessments. We have also 
met the General Register Office to discuss their proposal for a permissive 
power to share births, deaths and marriage information. We have 
attended a workshop and provided advice to the Better Regulation 
Delivery Office who are producing data sharing guidance for regulators. 


Outcome: 


We can welcome the key guiding principles behind the Cabinet Office’s 
consultation document, which include no building of new, large, and 
permanent databases or collecting more data on citizens; no 
indiscriminate sharing of data within government and no amending or 
weakening of the Data Protection Act. There is a proposed primary 
legislation requirement to consult the Information Commissioner on codes 
of practice that will reinforce DP principles and ICO guidance. The codes 
will require PIAs to be produced in line with ICO guidelines for each data 
sharing arrangement and be made available for public scrutiny. It is 
proposed that all the sharing or linking of data should be proportionate 
and data should be minimised to that necessary for the proposed uses. 
Some civil society groups have concerns about the proposals and a key 
consideration for us is whether safeguards set out in codes are sufficient. 


Future work: 

We shall continue to participate in the Cabinet Office’s policy making 
programme and will respond in detail to their public consultation. We shall 
continue to provide advice to the BRDO on their data sharing guide. 
Contact: Judith Jones, Jonathan Bamford, Sarah Clement 

3.2 Political parties and campaign groups 

As the EU referendum campaign gets underway the office has already 
started to receive complaints. Very often members of the public do not 


realise that campaign groups who register with the Electoral Commission 
are entitled to receive copies of the full electoral register and can use this 
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information for campaign purposes. The Electoral Commission has now 
chosen the two designated campaign groups: Vote Leave and Britain 
Stronger in Europe. We published a blog on 6 January 2016, reminding 
campaign groups and political parties that they must comply with the law. 
We have also been advising on a number of issues relating to other 
elections taking place in May. 


Outcome: 


We have engaged with the Electoral Commission to ensure that we 
provide accurate advice to the public on which organisations are entitled 
to receive access to the full electoral register. We have also had 
discussions with the Cabinet Office on electoral issues and they have 
agreed to a further meeting to discuss uses of the open and full registers. 


Future action: 


We shall continue to monitor any concerns and provide further advice or 
take enforcement action where appropriate. 


Contact: Judith Jones, Viv Adams, Sue Markey 
3.3 Charity fundraising 


As the office completes its investigation into fundraising practices, we are 
seeking to build up our engagement with the charity sector to be 
proactive in helping them understand their fundraising obligations as well 
as how to comply with the DPA. We have met the interim CEO of the new 
Fundraising Regulator to discuss future engagement and a draft MoU. We 
also responded to a consultation on their proposed Fundraising Preference 
Service (FPS), expressing concerns about the potential for confusion with 
the statutory Telephone Preference Service (TPS) and other non-statutory 
services such as the Mailing Preference Service (MPS). We also responded 
to the Charity Commission’s consultation on their fundraising guidance in 
which we supported their focus on the primary responsibility of trustees 
for their charities’ fundraising activities. We have met the RNLI and other 
charities who are keen to move to an opt-in model of consent. We have 
also met lawyers involved in advising charities and have spoken at a 
number of events on security. 


Outcome: 
We have established good initial contact with the new Fundraising 


Regulator’s office and have given some well received presentations to 
charity groups. 
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Future action: 

We are due to meet representatives of the Fundraising Regulator and the 
NCVO to discuss their FPS proposals. We shall continue to speak at events 
and engage with key stakeholders in the charity sector to ensure they 
understand their obligations and improve their fundraising practices. 
Contact: Judith Jones, Richard Marbrow, lan Inman 

3.4 National Audit Office and government data 

We have met the National Audit Office who are undertaking a study into 
central government’s approach to information assurance, primarily the 
Cabinet Office and CESG (the information security arm of GCHQ). This is 
particularly in light of the government’s plans to digitise services and to 
evaluate the operation of the security classification scheme. 

Outcome 

We had a constructive discussion about central government and their 
departments’ approach to information assurance and updated the NAO on 
the GDPR. We agreed that at the next meeting it would be useful if they 
could share the key findings of their study. 

Future action: 


We have agreed to continue contact, involving other specialists in the ICO 
as appropriate. 


Contact: Jonathan Bamford, J udith J ones 
3.5 HMRC employment history subject access requests 


REDACTED 
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4. Police, Justice and Borders Sector 

4.1 Police Use of Surveillance Technologies 
REDACTED 

2.2 Police National Computer (PNC) 

REDACTED 

2.3 Investigatory Powers Bill 

REDACTED 

2.4 National Law Enforcement Databases Project 
REDACTED 

2.5 Metropolitan Police Service 


REDACTED 


12 


5. Public Services Sector 
5.1 Information governance workshop 


In conjunction with Hartlepool Borough Council, we ran an information 
governance workshop for over 30 regional school staff which received 
excellent feedback. 


We completed the final five workshops for the Local Medical Committees. 
Additionally in the health sector we worked closely with Ambulance Trusts 
where we undertook research in to information governance incident 
reporting logs, an audit, two advisory visits and online surveys. We are 
currently working to produce an awareness video and a co-branded 
Campaign poster. 


We completed six reports into integrated health and social care pioneer 
projects and conducted an information risk review of an FOI service 
shared by two district councils. 


Contact: Louise Byers 
5.2 High Profile Case - Care.data disclosure objections 


Patients were offered the opportunity to object to Health and Social Care 
Information Centre (HSCIC) sharing their personal data with other 
organisations. This is known as a ‘type two’ objection. This option was 
provided through household leaflet drops and there is currently a pause 
given concerns over the process. Patients who acted on the leaflets 
informed their GP who would then ‘flag’ the objection in their electronic 
record. As full Care.data extraction was not initiated the ‘flags’ have not 
been received by HSCIC and therefore data flows to third parties are 
taking place irrespective of these. There has been media coverage of this 
and we have received a complaint from a civil society organisation. 


Concerns have also been raised with us about what are known as ‘type 
one’ objections which stop data going to the Care.data programme. The 
concern is that the ‘flag’ not only blocks the data flow from the GP to 
HSCIC for its purposes but from the GP to any other organisation for 
anything other than a patient’s direct care like health screening 
appointments. 


Outcome: 
The Commissioner has written to the Chair of the HSCIC about the ‘type 
two’ issue informing him that this is a matter of public concern and asked 


what actions are being taken to remedy the problem. A holding letter has 
been received. Enforcement have agreed an undertaking with HSCIC to 
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move to respecting objections but this has depended on directions from 
the Secretary of State which are at the point signature. The undertaking 
will be signed once these are received. 


Future work: 


Issues regarding what individuals could reasonably expect from the 
privacy notice information provided to them, what has actually happened, 
whether a breach had occurred and what actions need to be taken will be 
explored and communicated. The ‘type one’ issues around patient 
expectation and what is happening in practice are being explored. 


Contact: Victoria Cetinkaya. Laura Booth (undertaking work) 
5.3 Troubled Families (Evaluation and Mark 2) 


The expanded troubled families programme and the associated National 
Impact Study (NIS) have begun roll out. Whilst the programme is now 
running it remains controversial and many local authorities have still 
refused to provide data for the NIS as they do not believe they can do so 
in a compliant manner. 


Outcome: 


We continue to work with the Department for Communities and Local 
Government (DCLG) to communicate the issues and data protection 
implications. The Full Employment Bill may contain a new ‘legal gateway’ 
for the sharing of data for the troubled families. 


A joint webinar with DCLG was a great success in dispelling myths and 
gaining understanding. Work with the I-network group and others 
revealed a need to understand the data flows and through this we have 
been introduced to a group of authorities who would be willing to discuss 
the issues and how they are planning to overcome them. 


Future work: 

We will provide a formal response to the Full Employment Bill 
consultation. We will be working with local authorities’ representative 
bodies to assist organisations in understanding the information rights 
implications. We will be meeting with specific areas to identify what the 
key issues and data flows are in practice. 


Contact: Stacey Egerton 
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5.4 National Data Guardian (NDG) Consent Review 


The Secretary of State for Health commissioned the NDG to review and 
produce a report detailing whether the NHS should offer an opt out of 
data being used for purposes other than direct care. We were asked to 
take part in the review panel. 


Outcome: 


Increased involvement with the panel has assisted us in ensuring that the 
DPA aspects of the process have been taken into consideration. 


We have also ensured that the impact of the new GDPR has been factored 
into the considerations in order to ‘future proof’ any implementation 
process. 


Future work: 

We will maintain close working relationships with the NDG and her team. 
The report once accepted by the Health Secretary will be put out to public 
consultation. We will be required to give further input once the analysis of 
the results has been compiled. 


We will continue to monitor progress and identify and influence key 
aspects and impacts. 


Contact: Stacey Egerton 

5.5 New Models of Care 

The present trend for increased data sharing to facilitate public sector 
transformation and integrated care continues. Numerous regional area 
multi agency sharing initiatives require our attention. 

Outcome: 

We have increased contact with the Local Government Association, 
Information Governance Alliance, Pioneer Programme Board and Centre of 
Excellence for Information Sharing. 

Our presence at key workshops, conferences and panels in this area of 
work is enabling us to better understand the issues and to offer advice to 


minimise the impacts on information rights. 


One area which has become an apparent issue is the use of IT products to 
facilitate sharing which may not be fully DPA compliant. 
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Future work: 


Working with Tech UK and others we will explore the data processor 
issues and ensure our views are expressed and understood. 

We will be working with key stakeholders to continually monitor and 
identify areas of concern and improvement and to identify good practice. 
We will be encouraging representative bodies to produce sector specific 
guidance which incorporates our views. We will continue attending 
relevant panels and boards. 


Contact: Andrew Rose 

5.6 Citizens J ury 

We have assisted Manchester University in their research project to 
ascertain what the public think about the use of medical records. 

The vehicle they used was a citizen’s jury. 

Outcome: 

Over the course of 6 months we have assisted in the setting up of the 
juries, the delivery and analysis and then in conjunction with the 
University we held a post jury workshop attended by senior level staff 
across health and social care to discuss the output and how to take the 
work forward. 


Future work: 


We will consider how best to use the output of the juries to enhance how 
we better inform citizens of their rights. 


We will provide a blog post of the output of the jury from our perspective. 
It is also likely that other juries would be beneficial for other questions 
across different sectors. 


Contact: Jonathan Bamford 
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6. Business & Industry Sector 
6.1 Outcomes reports and DRI PA audits 


We produced an outcomes report based on 10 visits to residential sales 
and lettings organisations. 


The Communications Audit Team has now completed DRIPA audits on a 
number of CSPs, with the remainder planned before the end of the 
calendar year. The team is continuing to prepare for the |CO’s future 
audit responsibilities under the Investigatory Powers Bill. 


Contact: Louise Byers 
6.2 Connected vehicles 


The introduction of connectivity equipment and services in new motor 
vehicles poses a number of data protection and privacy challenges which 
we envisage will require the ICO to increase its engagement with the 
automotive sector. Connectivity systems have already been made 
available in the UK by a number of major vehicle manufacturers, with 
more expected to follow. In other parts of the world, notably the US, 
drivers can choose from a far greater number of pre-installed and add-on 
systems, often with increased functionality. 


The features provided by connectivity systems range from options to sync 
users’ social media accounts with a vehicle’s on-board computer, through 
to the ability for a car to contact the emergency services in the event of a 
collision or automatically book a service with an authorised dealer. Many 
systems also include remote tracking and locking features. This creates 
potential for vast volumes of personal data to be processed by vehicle 
manufacturers, including telemetry and vehicle diagnostic data, personal 
contact details, preferences and location information. 


Whilst the systems offered by manufacturers will undoubtedly provide 
drivers with benefits, the volume and range of data processed, combined 
with the nature of used, lease and rental car markets, creates some fairly 
unique data protection challenges. 


Outcome: 
Our initial research has provided us with a better understanding of the 


technologies and associated issues that we need to take forward with 
industry. 
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Future Work: 


We have been in contact with the British Vehicle Leasing and Rental 
Association (BVLRA) with a view to setting up a roundtable with its 
members. We also need to engage with motor vehicle manufacturers, as 
well as policymakers and other interested parties. We are also attending, 
and speaking at, a connected vehicles conference in April. 


Contact: Garreth Cameron 
6.3 GDPR roundtable events 


There is a significant demand from stakeholders wanting to better 
understand the implications of EU data protection reforms and the ICO’s 
position on key issues. Building upon the listening event the ICO ran in 
January 2016, the Business & Industry Group have held a number of 
roundtable events with industry groups in order to better understand 
which provisions cause particular industries the most concern, and to 
determine their priorities in terms of advice and guidance output from the 
ICO. 


We have run events with Ofcom, the Association of British Insurers, the 
British Bankers Association/Association of Financial Markets in Europe, 
techUK, the Internet Advertising Bureau (UK) and Incorporated Society of 
British Advertisers. In addition we have also participated in a webinar on 
GDPR and its impact on businesses which was hosted by the 
Confederation of British Industry. 


Outcome: 

We have recorded the feedback received from stakeholders, and have 
demonstrated that the ICO is a responsive regulator willing to listen, learn 
and engage with industry on these significant issues. 

Future work: 

We will feedback the views and comments received from stakeholders to 
Policy Delivery colleagues in order that these may be taken into account 
in the ICO’s implementation plans. 

Contact: Garreth Cameron 

6.4 Competition investigation remedies 

The Competition and Markets Authority (CMA) recently completed two 


separate investigations into the energy industry and retail banking 
respectively. These investigations led to remedies being proposed to 
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address the issues found. The proposed remedies potentially impact on 
our information rights policy work, as through various means it is 
recommended that those who have been disengaged in the market are 
subjected to marketing and prompts to change their supplier or provider. 


We responded in writing to each of the proposed remedies, as well as to 
an overarching consultation by the Department of Business, Innovation 
and Skills (BIS) on switching principles more generally. In addition, we 
also held meetings and have been in correspondence with the CMA to 
explore the proposals in more detail. 


We published a statement following publication of the CMA’s energy 
market investigation report and comments made in the media by their 
spokesperson which wrongly implied that we had agreed to the sharing of 
some customer data with all rival energy providers to encourage 
switching supplier. 


Outcome: 


We have made the CMA aware of the issues arising and have sought to 
publically clarify any misconception that may have arisen. 


Future work: 


We are continuing in our conversation with the CMA regarding this 
matter, taking into account further submissions they have made and 
seeking policy advice where appropriate. We are intending to undertake 
further work in the next financial year to continue to build our 
relationships with other regulators. 


Contact: Garreth Cameron, Rick Syers, Abigail Saul 


6.5 Internet of Things (loT), big data, social scoring and 
algorithms 


Sectoral contact identified a number of developments and a paper 
reflecting these was considered at the |CO’s Emerging Technologies PAAG 
setting out our observations on developments in the related areas of IoT, 
big data, social scoring and algorithms. For example services are now 
being offered to rate a person’s reliability or creditworthiness using data 
from their social media accounts. This paper analysed some of the legal, 
practical and policy issues arising from new technologies and business 
models, and set out recommendations for further action. 
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Outcome: 


The research undertaken has provided a clearer understanding of the 
issues and recommendations for action. 


Future work: 


The findings of the paper will be fed into the next iteration of the |CO’s 
big data paper. As well as undertaking direct engagement with 
organisations concerned, we will also look to hold a policy conference to 
explore the issues in further detail with a wider range of stakeholders. We 
will also look to commission some research to gain a better understanding 
of the problems and explore potential solutions. The issue of social media 
scoring will be considered at the next ICO citizen reference panel. 


Contact: Garreth Cameron, Alastair Barter, Darren Read 
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7. National Regions 
7.1 Wales 
7.1.1 Wales Audit Office (WAO) - “Dare to Share” conferences 


The WAO arranged two conferences on data sharing as part of its Good 
Practice Exchange programme, one in south Wales and one in north 
Wales. These were aimed primarily at managers and senior IG risk 
owners in the public and third sectors. Entitled “Dare to Share”, they 
focussed on the need to share personal data in certain circumstances in 
the public interest, and featured real life examples of both good and bad 
practice when sharing. We provided one of the keynote speakers and also 
ran interactive workshop sessions at each conference. 


Outcome: 


Both events were very well attended, and from our perspective were 
highly worthwhile as they cemented existing relationships, gave us 
opportunities to network with other significant |G managers and prompted 
ongoing conversations about data sharing. 


Future work: 


We will continue to build on good working relationships with the WAO and 
also with those with whom we have since had conversations and given 
advice to. 


Contact: Anne Jones, Helen Thomas 


7.1.2 Launch of WASP (Wales Against Scams Partnerships) and its 
Charter 


WASP is a partnership of organisations that are committed to keeping 
people in Wales safe from scams. The Partnership is led jointly by the 
Older People’s Commissioner for Wales and Age Cymru, and the ICO is 
one of the partners, with our PECR work particularly featuring in the 
WASP Action Plan. 


The Partnership and its Charter were officially launched at the National 
Trading Standards Scams Team conference in Cardiff in March. We 
participated in this, raising awareness of the role of the ICO, and we also 
contributed to the cost of publishing the WASP Charter. 
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Future work: 


We will continue our involvement in the Partnership, and also work with 
individual partners as necessary, for example Get Safe Online, with whom 
we have worked separately this quarter. 


Contact: Anne Jones. Helen Thomas 
7.1.3 WASPI project closure 


As from April 2016, Welsh Government funding for the WASPI information 
sharing programme will cease, and responsibility for it will pass to the 
NHS Wales Informatics Service, where it will be integrated into their 
agenda. We took part in a national conference arranged to celebrate the 
achievements of WASPI over the last decade, and which also looked 
forward to its future role within NWIS. We provided a keynote speaker 
and information stand as well as participating in the round table 
discussions. 


Future work: 


The regular liaison meetings held with WASPI will continue now with 
NWIS, although with some change of emphasis and format. 


Contact: 
Anne Jones, Dave Teague 
7.1.4 Health sector activity 


A number of separate strands of work have continued with the health 
sector in Wales this quarter. 


Following the findings of the IG training review we undertook last year, 
and input from Good Practice colleagues, we ran a half day DPA workshop 
with NHS Wales Procurement Managers, particularly looking at data 
controller / data processor issues and the governance implications of 
each. 


At a strategic Wales-wide level, discussions at the Wales Information 
Governance Board included an update on data sharing between A&E 
departments and the Ambulance Service, the IG toolkit plans for Wales, 
the National Intelligent Integrated Auditing system (monitoring of 
inappropriate health record access), section 251 as it applies in Wales, 
the WASPI project closure and |GMAG developments. 
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IGMAG (Information Governance Management Advisory Group) is the 
national IG Managers group for the NHS in Wales. The group is making 
real progress revising the NHS Wales online IG training modules, 
developing a Wales wide approach to key IG policies and assessing 
options to upgrade and/or replace the CPiP assessment tool following the 
findings of our training audit last year. Our role in this group is to support 
IGMAG by attending meetings, providing advice and guidance as 
appropriate. 


Future work: 

Liaison work and provision of advice will continue on a regular basis. 
Contact: Helen Thomas 

7.2 Northern Ireland 


7.2.1 Improving and embedding effective information rights 
practice across the NI Utility Sector 


After clarifying the limited application of the Data Protection Act to the 
sharing of information pertaining to businesses by the Utility Regulator for 
Electricity and Gas NI (UREGNI), the opportunity was taken to provide the 
utility companies themselves with practical compliance advice on both 
data protection and direct marketing. This included a bespoke workshop 
focussing on privacy statements, consent, direct marketing and data 
sharing which was delivered to the NI electricity companies. 


Future action: 


It seems likely that a review may now take place of the existing codes of 
practice regarding both the licence arrangements for the companies with 
regard to information sharing, as well as the code on practice on 
marketing. The ICO will be liaising with both the UREGNI and the energy 
companies to assist with this process if necessary. In addition, as a result 
of improved engagement, we are considering the development of an MOU 
with the UREGNI. 


Outcomes: 

Improved information rights awareness and compliance throughout the NI 
Utility sector. Improved understanding of information rights compliance, 
and the enabling of more effective data sharing to assist and benefit both 
businesses and citizens across NI. Strengthened relationships with both 
the UREGNI and utility companies. 


Contact: Shauna Dunlop 
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7.2.2 Enabling direct marketing compliance with NI Charity Sector 


Successful partnership working with NI Council for voluntary Action 
(NICVA), the umbrella group for the NI charity sector, to deliver the first 
quarter of a “#DataFriday” strategy. We have delivered three of the 
twelve planned workshop sessions covering “An Introduction to DP”, 
“Direct Marketing” and “Information Rights for Member- based 
organisations”. NICVA promote and advertise the sessions, arrange the 
venues and organise the sessions whilst we provide the content and assist 
with their promotion. We have also assisted the Charity Commission NI 
(CCNI) with a review of its guidance on direct marketing. 


Future action: 


We are organising a meeting with both NICVA and the CCNI regarding the 
legislative basis for charity fundraising regulation in NI. Work will continue 
as required to assist CCNI ensure understanding and compliance of both 
direct marketing and data protection across the sector. The #DataFriday 
Strategy will continue as planned throughout 2016/17. 


Outcomes: 


Improved understanding and compliance with direct marketing and data 
protection legislation across the charity sector. By combining both policy 
advice with interactive theory and practice through an overarching 
strategy, practice is improved both at an individual and operational level. 
This is further strengthened by the underpinning strategic objectives of 
the sector as a whole. 


Contact: Shauna Dunlop, Rachael Gallagher 


7.2.3 Assisting with effective, lawful information sharing practices 


We have provided guidance to Citizens Advice NI (CANI) on lawful data 
sharing practice and compliance with respect to external audit controls. 
Our advice was issued to operational staff, to standards and compliance 
management staff and to the strategic management board. As a result, 
issues were clarified and understood, and the external quality audit 
processes were completed. Subsequently, CANI initiated a review into 
data sharing practice across the CAB branch offices in NI. We commented 
on the review’s draft terms of reference and ensured that the twelve 
steps in our new guidance on the GDPR are included within it. 

Future work: 


To further assist with the CAB review, where required. We have asked to 
be kept informed as to the outcome also. 
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Outcome: 
Improved data sharing compliance within the CAB network. 
Contact: Shauna Dunlop, Rachael Gallagher. 


7.2.3 Improving understanding of compliance of FOIA and EIR at 
Departmental level 


Following an enquiry from the NI Department for Culture, Arts and Leisure 
(DCAL) relating to a draft terms of reference for a multi-agency steering 
committee responsible for NI stadia, we identified issues which could lead 
to non-compliance with FOIA and EIR. Cognisant of local political issues, 
we provided advice on good practice for Committee 
Members/representatives. 


Future action: 


We will be attending the next steering committee to provide some good 
practice guidance on compliance with the legislation. 


Outcomes: 


By following up on the policy advice through direct engagement with the 
Department and committee members, the risk of non-compliance has 
been reduced. 


Contact: Ken Macdonald, Shauna Dunlop, Rachael Gallagher 
7.3 Scotland 
7.3.1 Children & Young People (Scotland) Act 2014 


This legislation continues to generate work for the SRO as the 
implementation date nears (31 August). Activity in which we have been 
involved includes: keynote presentations to national conferences and 
sector specific master classes on data sharing in compliance with the 
DPA; participation on Scottish Government and sector specific 
working/steering groups looking at implementation; liaising with the 
SPSO on signposting of complaints about data sharing and work with the 
voluntary sector on the data sharing provisions of the legislation. 


Future Work: 


Continued work with Scottish Government, providing advice and guidance 
on the outcome of the legal challenge currently being considered by the 
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Supreme Court. Continued high profile speaking engagements; and 
continued work with sector specific practitioners and the voluntary sector 
on data sharing in compliance with the DPA. Development of a MOU with 
SPSO on the associated complaints process. 


Outcomes: 


Raised profile of ICO as an authoritative source of advice and guidance; 
continue opportunities for engagement with a wide range of stakeholders. 


Contact: Maureen Falconer/Ken Macdonald 
7.3.2 Safeguarder Training 


Delivery of a series of DP awareness workshop to Scottish Safeguarders. 
Although Safeguarders have been in existence for some time, the Scottish 
Government has established a formal administration process by 
contracting the charity Children 1st to provide administrative support and 
organise relevant training events. A recent breach in respect of a 
Safeguarder brought the matter of data protection to the fore and the 
SRO was approached to assist in providing some DP training for 
Safeguarders. 


Future Work: 


Further sessions are to be arranged on an ad hoc basis throughout 
Scotland when the SRO has an engagement in specific areas outside the 
Central Belt. 


Outcomes: 


Raised profile of ICO as the Regulator of the DPA, as well as being an 
authoritative source of advice and guidance; continue opportunities for 
engagement with these specific stakeholders all of whom are data 
controllers in their own right. 


Contact: Maureen Falconer 
7.3.4 Integration of Health & Social Care 


Most of the work in this area has been on the data controller/data 
processor relationships within the new structures established in 
compliance with the Public Bodies (Joint Working) (Scotland) Act 2014. In 
one health board area specific legal advice was sought from the ICO and 
with the assistance of our in-house solicitors, we were able to provide a 
definitive view on the matter which was accepted and implemented by all 
parties. 
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Future Work: 
None 
Outcomes: 


Raised profile of ICO as the Regulator of the DPA, as well as being an 
authoritative source of advice and guidance; good cross- organisational 
working embodying the ‘One ICO’ concept. 


Contact: Maureen Falconer 


7.3.5 “Part 7” Network 


The “Part 7” network is a grouping of FOI professionals in the Scottish 
NDPBs listed in Part 7 of the Schedule to the FOISA and is facilitated by 
the Office of the Scottish Information Commissioner. Although focussed 
on FOI, the ICO were invited to speak to the group on Data Protection 
Day. Topics of conversation included Safe Harbor, the General Data 
Protection Regulation, the Reuse of Public Sector Information Regulations 
and the surveillance cameras code of practice. 


Future Work: 

The Network has decided to extend their meetings so they can spend half 
the day looking at data protection matters and the ICO will have a 
standing invitation to attend. The next meeting is scheduled for 9 May 
2016 where we will lead the discussion on data sharing practices. 
Outcomes: 

Increased opportunities for engagement with a wide range of public sector 
stakeholders, particularly in the lead-in to the implementation of the 
GDPR. 


Contact: Maureen Falconer / David Freeland 
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8. International 
8.1 International transfers to US 


In October the European Court of Justice invalidated the European 
Commission’s decision on the safe harbour framework for transfers of 
personal data from the EU to the US. Following the judgment the Article 
29 Working Party called for the European Commission and USA authorities 
to conclude their discussions on a replacement for safe harbor by the end 
of January. Whilst Article 29 were assessing the position at their 
February meeting the European Commission announced that they had 
completed negotiations with the US on the replacement for safe harbour - 
the EU-US privacy shield. Article 29 released a statement welcoming the 
conclusion of negotiations and they would now provide the Commission 
with advice on the adequacy of the protections provided by the shield, as 
required by Article 30 of the Directive. 


In February the ICO published a blog and updated guidance for data 
controllers explaining what steps they could take in the interim and that it 
would be possible for controllers to continue to use other transfer tools 
such as binding corporate rules and standard contractual clauses. 


The Article 29 Working Party published an opinion on the privacy shield 

decision following their meeting in April. It recognised the improvements 
offered by the shield compared to safe harbour but highlighted concerns 
about the commercial and national security aspects of the shield. Article 
29 urged the Commission to address these concerns and seek solutions. 


The Commission will now have to assess these concerns, in discussion 
with the US authorities. The Member States, in the Article 31 Committee, 
have to vote on the shield as well (Article 29’s role is advisory). Following 
a positive vote the Commission may then issue a final adequacy decision 
on the shield. At present the timetable for next steps is unclear as it will 
depend on the extent of new negotiations between the EU and US. 


Contact: Steve Wood 

8.2 European Data Protection reforms 

In December 2015 the EU institutions reached political agreement on the 
texts of the General Data Protection Regulation (GDPR) and the Directive 
on data protection and law enforcement. After final checks the formal 
texts are likely to be published in J une 2018, which will then trigger a two 
year implementation period. 


In January 2016 we ran a stakeholder workshop on the EU Data 
Protection reforms, listening to views of stakeholders on the challenges of 
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implementing the legislation, what guidance should be prioritised and 
how the ICO could best enable compliance. Around 100 organisations 
attended. 


In March 2016 we launched our microsite www.dpreform.org.uk anda 
guidance document setting out 12 key steps organisations could take to 
prepare for the GDPR. 


The Article 29 working party has published an action plan for GDPR 
implementing during 2016. This covers areas such as: 


e Transition of Article 29 into the European Data Protection Board - 
governance and operation; 

e Guidelines and procedures on how the new consistency mechanism 
for cross border cases will work e.g. how data protection authorities 
will decide on fines in cross border cases. 

e Development of new guidelines for data controllers and processors 
on the GDPR; 


Contact: Steve Wood 
8.3 International conference 


In March the ICO hosted this year’s Annual International Enforcement 
Event held under the umbrella of International Conference activities. More 
than 30 delegates from over 20 authorities around the world participated 
in a series of workshops and discussion sessions to further practitioners’ 
understanding of how to make international enforcement cooperation 
work in the privacy regulatory community. The event explored several 
case-studies of how authorities have readied themselves to progress a 
cross-border enforcement approach with their partner authorities around 
the world. 


Contact: Hannah McCuasland 
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9. Enforcement 
9.1 Anti-Spam Investigation Teams and Intelligence Hub 


In this quarter we issued eight civil monetary penalties totaling £930,000 
for contraventions of the Privacy and Electronic Communication 
Regulations (PECR), bringing to 18 the number of monetary penalties 
issued for unlawful marketing activities this year with a total of 
£1,985,000. 


The largest fine in this period - and the |CO’s largest ever - was £350,000 
against Prodial Ltd for making 46 million unsolicited automated marketing 
calls. We also issued two fixed penalties against Vodafone and Talk Talk 
for failing to report personal data breaches within the required time limit. 


We served six Enforcement Notices against; Advanced VOIP Ltd, Preferred 
Pensions LLP and Money Help Marketing Ltd for instigating unlawful 
marketing communications. These were all connected with a search 
warrant executed by the ICO in June last year. Direct Choice Home 
Improvements, Falcon and Pointer and FEP Heatcare Ltd all received 
Enforcement Notices to accompany monetary penalties they received. 


HELM Ltd withdrew their appeal against their monetary penalty of 
£200,000. UKMS Money Solutions Ltd’s appeal to the First Tier Tribunal 
against a penalty of £80,000 continues. 


We have issued 82 third party information notices in this quarter. Most of 
the monetary penalties issued since April 2015 rely on evidence obtained 
or corroborated by use of the third party information notice, and they 
remain an essential investigative tool. 


We have issued 37 Network Interoperability Consultative Committee 
(NICC) traces this quarter. This is another essential investigation tool. A 
NICC trace was used to identify the marketing company in the Direct 
Security Marketing Ltd CMP of £70,000 in February 2016. 


We continue to explore pro-active opportunities, using intelligence 
obtained from our regulatory activities. We spotted a new opportunity and 
in early March we wrote to a number of utility companies making 
enquiries about how they were acquiring and using consent from their 
customers. The findings will be used to inform education and awareness 
messages, and also intelligence gathering and enforcement opportunities. 


We presented on a webinar to over 90 call centre managers about 
compliance with PECR and the Data Protection Act. 
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We monitored 8 organisations this quarter which we believe represent 
risks in relation to adherence to PECR. We held 4 compliance meetings 
with organisations in order to improve direct marketing practices. 
Following our investigation into allegations raised in the Daily Mail, two 
charities, British Red Cross and Age International - signed Undertakings 
committing their organisations to best practice in acquiring and retaining 
consent from supporters. We found no evidence of serious contraventions 
by the two organisations. 


As a result of investigations into compliance with the Privacy and 
Electronic Communication Regulations, we may identify criminal breaches 
of related law. We have two prosecutions ongoing under the Data 
Protection Act - one for section 17 (registration) offences and a section 
47 (failure to comply with notice) prosecution against another 
organisation. 


Work has been completed in preparation for the 2016 Global Privacy 
Enforcement Network (GPEN) Sweep, which will take place from 11 to 15 
April. The Sweep will be the first one which is coordinated and led by the 
ICO on its own. Around 30 countries will be involved. Making sure the 
sweep is conducted effectively - and with clear privacy rights based 
outcomes - is a challenge but also a great opportunity for the ICO. 


The Sweep topic agreed by the international participants is the ‘Internet 
of Things’, focusing on accountability. Organisations will be encouraged to 
look at the privacy information on websites of organisations, contact them 
to ask further questions and, where resources allow, purchase devices to 
look at the personal information collected. The aim is for findings to be 
published in quarter two of 2016-2017. 


The first London Action Plan (LAP) Executive Committee meeting was held 
in January, with representatives from regulators in Canada, the US, the 
Netherlands, New Zealand and the UK meeting at the ICO. The Executive 
Committee finalised the LAP’s operational plan for 2016-18. We are also 
planning the first ever LAP Sweep in 2016, aimed at tackling spam, which 
will be led by the ICO and Canadian CRTC. 


We have published the quarterly data security incident trends report as 

well as the monthly nuisance calls and messages threat assessments on 
our website. We routinely shared intelligence with other regulatory and 

law enforcement organisations to support our enforcement activity. 


We have developed new relationships by signing Memoranda of 
Understanding with the Charity Commission, CERT-UK (Computer 
Emergency Response Team) and LAP participants during the previous 
quarter. 
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We are working to agree a Memorandum of Understanding with the 
Fundraising Regulator, which is the self-regulatory body responsible for 
making sure charities fundraise within the law. 


We published a report on our ‘mystery shopping’ project - Operation 
Bowler. This work helped to further our understanding of organisations 
using and sharing consumer data to send unsolicited communications. We 
will now use this way of working on an ongoing basis to provide 
intelligence and enforcement opportunities. 


We presented at a Competition and Markets Authority event looking at 
more effective ways to cooperate and share intelligence with other 
national and international regulatory bodies. We also hosted a visit from 
the Dutch consumer authority (ACM) to compare approaches to 
enforcement under the e-Privacy Directive. 


We have sought to improve our intelligence gathering and analysis 
capabilities through implementation of new analytical software and 
associated training for all team members. We have also started to receive 
information via a new ‘Tell Intel’ email address, created for staff to flag 
information rights issues they may encounter. 


We organised and participated in the International Enforcement Co- 
operation Event in March, at which a meeting of GPEN also took place. 
The delegate sessions focussed on practical use of the International 
Enforcement Handbook (developed by the UK and Canada with 
international input), by considering cross-border scenarios of 
contraventions. Feedback will be used to inform amendments to the 
Handbook. 


We are recruiting two additional Intelligence Officers to support the 
increasing demand for the support provided by the ICO’s Intelligence Hub. 


15* Quarter 2016-17 
We will continue to prioritise our investigations and activities to maintain 
focus on effective enforcement of the PECR, targeting unlawful activities 


by lead generation organisations. 


We will continue to report on our investigation of charities and whether 
they contravened the Data Protection Act and the PECR. 


We will deliver the international GPEN Sweep 2016. 


Working with the CRTC we will continue to lead planning for the first ever 
LAP Sweep. 
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9.2 Civil Investigation Team 


The intake and closure of cases in Q4: 


Total 


Cases in Q4 Tera Gxele- 1B vole 
the year 


| Total 
Cases out 319 (total for 
Q4 the year 


1,541 in Civil 
- 2,051 in 
total 
including IP) 


1,713 in Civil 
- 1,954 in 
total 
including IP) 


Across the year, the team achieved a total case closure rate of 1,541. 
This compares with 1,081 in 2014/2015 and represents the closure of an 
additional 460 cases, despite the increase in receipts. 


362 cases are under active investigation at present, an increase of 39 
cases from Q3. The team continued to pursue a reduction in the number 
of cases awaiting allocation during Q4 and by the end of March, there 
were just 31 cases waiting to be assigned. The new triage process, 
combined with the efficiencies achieved from splitting the team by sector 
continues to play a significant role in this. 


In total, the team risk assessed over 2,000 cases in 2015/2016, with a 
number of those being allocated to PID Operational Teams in line with 
Project Eagle. 


Sector trends - top ten 


Health 

Local Gov 
Education 
Gen Business 
Charities 


Solicitors/Barristers 
Police & Crim 
records 


Housing 
Lenders 
Financial Advisors 


*this is derived from all cases risk assessed by the team - and includes those transferred to PID 
sector teams 


The most significant work stream for DPA breaches continues to be the 
Health sector. In the fourth quarter and as a percentage of the total 
intake of cases, health accounted for 41% of all those risk assessed, as 
was the case in Q3. 
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In common with our experiences in 2014/2015 and in the first, second 
and third quarters, Local Government continues to be a significant sector 
for intake. In Q4 just under 9% of the total intake related to the Local 
Government sector. The decreased intake for the Local Government 
sector over Q3 has reversed, but not to a significant degree. 


In Q3, we reported on the 62% increase in intake from the General 
Business sector. This increase has stalled, with receipts for Q4 falling 
nominally by six cases. 


We continue to monitor the situation and to identify new incident trends 
and threats and to target our activity appropriately. 


Monetary Penalties and formal regulatory action cases 


In January 2016, an Enforcement Notice was issued to the 
Alzheimer’s Society after serious failings in the way volunteers handled 
sensitive personal data were uncovered. The Notice required the charity 
to take a number steps, including improvements to staff and volunteer 
training and to the implementation of secure methods of communicating 
data. The notice is currently subject to appeal. 


REDACTED 


In March 2016, Undertakings directing the data controllers to 
improvements in compliance were issued to the South Eastern Health 
and Social Care Trust following a number of disclosure in error 
incidents; and to the Chief Constable of Wiltshire Constabulary after an 
investigation into the loss of a file containing personal data revealed 
shortcomings in the organisations staff training. 


We issued four Notices of Intent during the fourth quarter - all of which 
are presently out for representations. 


REDACTED 
Other significant activity 


We represented the Enforcement Department at the annual DPPC 
conference in March, hosting a session on a data controller’s experience 
of a data breach and subsequent monetary penalty. 


We organised and participated in the International Enforcement Co- 
operation Event in March, at which a meeting of GPEN also took place. 
The delegate sessions focussed on practical use of the International 
Enforcement Handbook (developed by the UK and Canada with 
international input), by considering cross-border scenarios of 
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contraventions. Feedback will be used to inform amendments to the 
Handbook. 


1** Quarter 2016-17 


In April, the Civil Investigation Team will deliver a session on 
cybersecurity at the Small and Medium Size businesses (SME’s) 
conference in Birmingham. A total of four sessions will be delivered, and it 
is hoped that the compliance advice provided will assist delegates in 
preventing such incidents, with an emphasis on SQL injection attacks. 


REDACTED. 
9.3 Criminal Investigations Team 


The professional development of the Criminal Investigations Team 
continued with the delivery of disclosure training in early January. In the 
same month members of the team also attended a professional 
development seminar in respect of the acquisition of Communications 
Data under the Regulatory Investigatory Powers Act (RIPA) and the role 
of the SPoC. This theme will continue with the delivery of the Advanced 
Certificate in Investigatory Practice from Quarter 1 2016/17. 


REDACTED 


The Group Manager assisted at an ICO listening event on the EUDPR, held 
in London on in January. Two members of the Team assisted at the Data 
Protection Practitioners Conference in early March whilst more team 
members were engaged at the International Enforcement Cooperation 
Event where they delivered a workshop based upon Operation Spruce. 


1% Quarter 2016-17 


e We will progress Operation Spruce by driving performance through 
the completion of actions and submission of further files to the 
Legal team. 

e We will continue to develop the team through the delivery of the 
Advanced Certificate in Investigatory Practice. 

e We will increase the resilience of the Enforcement Department by 
delivering specialist training for an additional Telecom SPoC. 

e REDACTED 

e We will conduct our first proactive operation in April and schedule a 
further operation for Quarter 3. 


9.4 Other enforcement activity 


REDACTED 
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10. Performance Improvement 


As anticipated the final quarter of the year has been the most productive. 
Overall the year has seen an increase in the amount of data protection 
related concerns brought to our attention. Intake has been higher than 
expected, up 15% on last year. Receipts have outpaced closures, but we 
have been able to resolve more cases than ever before. We are now well 
placed to deal with this increased intake. Departments are fully staffed, 
and new recruits are becoming increasingly productive. Freedom of 
Information intake has again been higher than last year, but to a lesser 
extent, up by 4%. There has been a small shortfall in closures versus 
receipts. We have however issued a record number of formal FOI decision 
notices and expect to maintain current service levels into the new 
financial year. 


Our data protection yearly receipts include over 370 new cases from 
individuals who had asked search engines to remove results about them 
under the current ‘right to be forgotten’. During the year we made 459 
decisions about search engine results. Of those which were valid for a 
decision, we have required search engines to delist results in around a 
third of cases. 


Around a third of the cases we have received have related to criminal 
convictions in some way. We have not required delisting where the search 
results relate to recent or serious convictions, but in cases where a 
conviction has been minor and historic we have done so. We have also 
required delisting in a number of cases where search results relate to an 
individual’s past working life but only if the information is no longer 
considered relevant or they are not a public figure. We do not generally 
require delisting of information relating to an individual’s work if the 
information is more recent, and particularly if it relates to individuals or 
professions with a role that is public facing. 


FOI monitoring continues. The Ministry of J ustice was initially being 
monitored for the period 1 September 2015 to 30 November 2015. 
However, as there was not sufficient improvement during this time we 
advised Moj that monitoring was to be extended for a further three 
months and obtained details of its improvement plan. 


We continued to work closely with the Metropolitan Police Service, 
meeting with the Deputy Commissioner, Assistant Commissioner and 
Director of Performance Assurance in February 2016, to discuss FOI 
performance further. We expressed disappointment at a recent drop in 
performance as did those present. They explained they had committed 
more additional staff and would keep these there until performance was 
at an acceptable level. 
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The initiative we undertook to write to all NI Departments regarding FOI 
performance has proved a success. All Departments co-operated fully, 
with engagement being very positive, and welcomed. With the exception 
of one case, all Departments cleared all of their old overdue cases. We 
also continued to formally monitor DFPNI and work closely with them to 
improve their performance and are satisfied with the measures they have 
taken and efforts they are putting in. We asked Chris Graham if it would 
be possible to visit NI before he departs the ICO and he has agreed, the 
Departments have welcomed this. 


The latest monitoring report recommended two new authorities for formal 
monitoring one of those will commence shortly; the other, a government 
department, made representations through its Strategic Liaison contact 
and after considering evidence of its most recent performance we have 
concluded it would not be appropriate to formally monitor at this time. 

We are also currently informally monitoring a local council and have asked 
another council to provide us with its latest performance figures as 
indications are that formal monitoring may be necessary. 


The final quarter of the year also sees us reflect on the work carried out 
by the FOI appeals team. During the course of the year there were 275 
appeals received (including 9 remittals) to the Information Tribunal. We 
dealt with 257 cases and successfully defended over 80% of the 
Commissioners decisions. 
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